Is the Transportation Department doing enough about auto cybersecurity?

By Bianca Spinosa

Apr 26, 2016

As cars increasingly rely on software and computerized operating systems, automakers face pressure to beef up cybersecurity, and the government must figure out what it would do if a cyberattack took place on the road.

According to a Government Accountability Office report released on April 25, hackers could penetrate high-tech automotive systems using long-range attacks that target cellular connections and short-range attacks that go after Bluetooth controls. If successful, hackers would be able to access steering, brakes, telematics and other critical controls.

Carmakers, suppliers and cybersecurity firms told GAO that the automotive industry faces several challenges, including a "lack of transparency, communication and collaboration" on cybersecurity at different levels of the supply chain and the high cost of cybersecurity solutions. The industry formed the Automotive Information Sharing and Analysis Centerin 2015 as a place for members to share threat information with one another.

In its report, GAO says the National Highway Traffic Safety Administration should determine how it would respond to a vehicle cyberattack if it happened on the road.

"Until it develops such a plan, in the event of a cyberattack, the agency's response efforts could be slowed as agency staff may not be able to quickly identify the appropriate actions to take," the report states.

NHTSA officials said they are looking into developing government standards or regulations for car cybersecurity but might not make a determination until 2018. The agency is currently funding research into firewall and gateway systems for vehicles, research into delivering firmware updates over the air to connected vehicles and research into solutions for detecting intrusions into automotive systems and software.

However, they said their ability to conduct such research is dependent on funding. NHTSA's Office of Vehicle Safety Research requested $36 million in funding for fiscal 2015 but received only $29 million from Congress.

There has been some action on Capitol Hill to secure high-tech vehicles. TheSecurity and Privacy in Your Car Study Act of 2015, sponsored by Reps. Joe Wilson (R-S.C.) and Ted Lieu (D-Calif.) would require NHTSA to identify areas of possible regulation when it comes to isolating automotive systems, minimizing the risk of hacks and protecting operator data.

"Interconnected cars offer opportunities for safer highways but also increase the risk that cyberattacks could turn our cars into weapons or paralyze an entire city," Lieu said in a statement that urged Congress to move on the legislation. "The GAO study confirms this and shows that progress is being made by both the Department of Transportation and automakers, but there are some glaring holes that need to be addressed quickly."

About the Author

Bianca Spinosa is an Editorial Fellow at FCW.

Spinosa covers a variety of federal technology news for FCW including workforce development, women in tech, and the intersection of start-ups and agencies. Prior to joining FCW, she was a TV journalist for more than six years, reporting local news in Virginia, Kentucky, and North Carolina. Spinosa is currently pursuing her Master’s degree in Writing at George Mason University, where she also teaches composition. She earned her B.A. from the University of Virginia.

The GAO director of information technology issues is leaving government after 16 years. On his way out the door, Dave Powner details how far govtech has come in the past two decades and flags the most critical issues he sees facing federal IT leaders.